Wires up the Oracle database as a first-class PAM resource type, paired
with the CLI gateway's Oracle proxied-auth handler.

Backend:
- New oracle-resource-* module under ee/services/pam-resource/oracle/
  with resource + account schemas and list-item metadata.
- Registers OracleDB in the resource enum, factory, list, and type
  unions; routes it through the shared SQL resource factory (same
  connect/rotate/validate contract as Postgres / MySQL / MSSQL).
- Adds Oracle to the account credentials service, resource router
  response schemas, and account router schemas.

Frontend:
- New OracleDBResourceForm / OracleDBAccountForm using the shared SQL
  field sets (host, port, database, SSL toggles, certificate PEM).
- PamResourceForm / PamAccountForm dispatch the new forms for
  PamResourceType.OracleDB.
- Account-by-id, resource-by-id and access-account modal pages handle
  the Oracle case.
- Removes OracleDB from the "coming soon" list in ResourceTypeSelect
  now that it's shippable.

Works together with the CLI gateway's Oracle handler
(packages/pam/handlers/oracle) — end-to-end verified against AWS RDS
Oracle 19c including TCPS (see cli.oracle-db commit fa44af8).

Matches MySQL and MSSQL — we haven't verified password rotation against
Oracle end-to-end, so stub rotateCredentials with "Unsupported
operation" for now rather than ship untested ALTER USER code. The
rotation logic can come back in a follow-up once it's tested against
a representative set of Oracle targets.

Rotation was stubbed in the previous commit, so the probe's module
comment no longer needs to reference it as a code path that goes
through node-oracledb. Mentions only account credential validation now.

New page at docs/documentation/platform/pam/getting-started/resources/oracle.mdx
covering: how Oracle access works through the gateway (with the
protocol-placeholder password explanation), resource setup
(including the TCPS/SSL options and port 2484), account creation,
CLI access flow, and the supported/unsupported matrix for v1 —
Autonomous DB, RAC with SCAN, and NNE are called out explicitly
as known limitations.

…ount validation

- probeOracleTls now threads sslRejectUnauthorized (was hardcoded to
  !!caPem, which silently disabled cert validation on default form state)
  and sends the configured upstream host as TLS SNI (was hardcoded to
  "localhost").
- Moved probeOracleTls out of the generic sql-resource-factory into
  oracle/oracle-tls-probe.ts alongside the other Oracle resource files,
  and switched it to a named-options signature for readability.
- Account credential validation skipped when sslEnabled=true. node-oracledb
  thin mode has no inline-CA option (only a wallet file requiring a
  matching cert+key pair), so it can't consume the resource's pasted CA.
  Resource-save validation still runs the raw TLS probe. Bad creds on TLS
  Oracle accounts will surface on first session use. Credential validation
  for every DB type should eventually move to the gateway where
  per-connection CA handling is straightforward.
- Removed unreachable TCPS connectString branch; the only caller of
  openConnection now is the non-SSL path.

…se union

Addresses reviewer finding that OracleSessionCredentialsSchema was
defined but never imported. The schema is the response shape for
GET /:sessionId/credentials (the endpoint gateways hit to fetch live
session credentials). Other SQL dialects are already in the zod union
in pam-session-router.ts; Oracle was missing.

Runtime happened to work because Oracle's credentials are structurally
identical to MySQL's (both extend BaseSqlResourceConnectionDetails +
BaseSqlAccountCredentials), so the response validator accepted Oracle
payloads as if they were MySQL. Adding Oracle explicitly makes the
schema validation Oracle-aware rather than relying on that coincidence.

(Note: MsSQL and WindowsServer have the same pattern — defined but not
in the union — but fixing those is pre-existing and out of scope here.)

…aming parity

Every other dialect in pam-resource/ uses the <dialect>-resource-<kind>
file naming pattern (factory / fns / schemas / types / enums). The
probe helper was sitting in a freshly-named oracle-tls-probe.ts, which
broke that convention.

Moved probeOracleTls (and its ProbeOracleTlsArgs interface) into the
existing oracle-resource-fns.ts alongside getOracleResourceListItem.
Deleted oracle-tls-probe.ts. Import path in sql-resource-factory
updated accordingly. No behavior change.

…andard files

Reviewer feedback: ProbeOracleTlsArgs should be a type (not interface)
and should live in oracle-resource-types.ts with the other T* types;
the timeout constant should live in a constants file.

- Moved ProbeOracleTlsArgs to oracle-resource-types.ts as type
  TProbeOracleTlsArgs (matches the T-prefixed type convention already
  used in that file).
- New oracle-resource-constants.ts with ORACLE_TLS_PROBE_TIMEOUT_MS
  (matches the <service>-constants.ts pattern used elsewhere —
  pam-account-policy-constants.ts, gateway-v2-constants.ts,
  relay-constants.ts, etc.).
- oracle-resource-fns.ts now imports both and stays focused on the
  probeOracleTls implementation + getOracleResourceListItem helper.

No behavior change.

Trim bloated JSDoc blocks and section headers. Keep only
the one non-obvious comment (servername used for TLS SNI + cert
validation, not for TCP dialing).

…types)

Restrict the database (service name) field to Oracle's allowed character
set: must start with a letter, then letters/digits/underscores/dots/#/$.
Max 128 chars. Applied in both backend Zod schema and frontend form
validation.

…tion

Switch to tcps:// connect string when SSL is enabled so node-oracledb
can validate credentials over TLS. The TLS probe is now only used when
a custom CA is provided (to validate the cert chain, since thin mode
can't accept an inline CA). Any Oracle response (including auth errors)
on resource save is treated as reachable.

Credential validation now works for SSL without custom CA (e.g., OCI
Autonomous DB). The gap remains for SSL + custom CA not in the system
trust store (e.g., AWS RDS with pasted CA) — creds are checked on
first PAM session.